From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
"Andy Lutomirski" <luto@kernel.org>,
"David Howells" <dhowells@redhat.com>,
"Serge Hallyn" <serge@hallyn.com>,
"John Johansen" <john.johansen@canonical.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Michal Hocko" <mhocko@kernel.org>,
"Ben Hutchings" <ben@decadent.org.uk>,
"Hugh Dickins" <hughd@google.com>,
"Oleg Nesterov" <oleg@redhat.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
"Rik van Riel" <riel@redhat.com>,
"James Morris" <james.l.morris@oracle.com>,
"Greg Ungerer" <gerg@linux-m68k.org>,
"Ingo Molnar" <mingo@kernel.org>,
"Nicolas Pitre" <nicolas.pitre@linaro.org>,
"Stephen Smalley" <sds@tycho.nsa.gov>,
"Paul Moore" <paul@paul-moore.com>,
"Vivek Goyal" <vgoyal@redhat.com>,
"Mickaël Salaün" <mic@digikod.net>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
"<linux-security-module@vger.kernel.org>"
<linux-security-module@vger.kernel.org>,
"SE Linux" <selinux@tycho.nsa.gov>
Subject: Re: [PATCH v2 1/8] exec: Correct comments about "point of no return"
Date: Mon, 10 Jul 2017 12:07:06 -0500 [thread overview]
Message-ID: <87pod8mdad.fsf@xmission.com> (raw)
In-Reply-To: <CAGXu5jKTaXLU+H6DnNuy6ggxcMDgo9G-wEmZ4RP=QneJaZuNDg@mail.gmail.com> (Kees Cook's message of "Mon, 10 Jul 2017 09:04:15 -0700")
Kees Cook <keescook@chromium.org> writes:
> On Mon, Jul 10, 2017 at 1:46 AM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>>
>> But you miss it.
>>
>> The "point of no return" is the call to de_thread. Or aguably anything in
>> flush_old_exec. Once anything in the current task is modified you can't
>> return an error.
>>
>> It very much does not have anything to do with brpm. It has
>> everything to do with current.
>
> Yes, but the thing that actually enforces this is the test of bprm->mm
> and the SIGSEGV in search_binary_handlers().
So what. Calling that the point of no return is wrong.
The point of no return is when we kill change anyting in signal_struct
or task_struct. AKA killing the first thread in de_thread.
It is more than just the SIGSEGV in search_binary_handlers that enforces
this. de_thread only returns (with a failure code) after having killed
some threads if those threads are dead.
Similarly exec_mmap only returns with failure if we know that a core
dump is pending, and as such the process will be killed before returning
to userspace.
I am a little worried that we may fail to dump some threads if a core
dump races with exec, but that is a quality of implementation issue, and
the window is very small so I don't know that it matters.
The point of no return very much comes a while before clearing brpm->mm.
>>> diff --git a/fs/exec.c b/fs/exec.c
>>> index 904199086490..7842ae661e34 100644
>>> --- a/fs/exec.c
>>> +++ b/fs/exec.c
>>> @@ -1285,7 +1285,14 @@ int flush_old_exec(struct linux_binprm * bprm)
>>> if (retval)
>>> goto out;
>>>
>>> - bprm->mm = NULL; /* We're using it now */
>>> + /*
>>> + * After clearing bprm->mm (to mark that current is using the
>>> + * prepared mm now), we are at the point of no return. If
>>> + * anything from here on returns an error, the check in
>>> + * search_binary_handler() will kill current (since the mm has
>>> + * been replaced).
>>> + */
>>> + bprm->mm = NULL;
>>>
>>> set_fs(USER_DS);
>>> current->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Cc: "Nicolas Pitre"
<nicolas.pitre-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
"Jason A. Donenfeld"
<Jason-OnJsPKxuuEcAvxtiuMwx3w@public.gmane.org>,
"Andy Lutomirski" <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Tetsuo Handa"
<penguin-kernel-1yMVhJb1mP/7nzcFbJAaVXf5DAMn2ifp@public.gmane.org>,
"Michal Hocko" <mhocko-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"David Howells"
<dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"SE Linux" <selinux-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"Ingo Molnar" <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Hugh Dickins" <hughd-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
"Greg Ungerer" <gerg-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org>,
"Stephen Smalley" <sds-+05T5uksL2qpZYMLLGbcSA@public.gmane.org>,
"Vivek Goyal" <vgoyal-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"Rik van Riel" <riel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
"linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Alexander Viro"
<viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>,
"James Morris"
<james.l.morris-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
"Mickaël Salaün" <mic-WFhQfpSGs3bR7s880joybQ@public.gmane.org>,
"John Johansen"
<john.johansen-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
"Ben Hutchings" <ben-/+tVBieCtBitmTQ+vhA3Yw@public.gmane.org>,
"Oleg Nesterov" <oleg@r>
Subject: Re: [PATCH v2 1/8] exec: Correct comments about "point of no return"
Date: Mon, 10 Jul 2017 12:07:06 -0500 [thread overview]
Message-ID: <87pod8mdad.fsf@xmission.com> (raw)
In-Reply-To: <CAGXu5jKTaXLU+H6DnNuy6ggxcMDgo9G-wEmZ4RP=QneJaZuNDg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Kees Cook's message of "Mon, 10 Jul 2017 09:04:15 -0700")
Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org> writes:
> On Mon, Jul 10, 2017 at 1:46 AM, Eric W. Biederman
> <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>>
>> But you miss it.
>>
>> The "point of no return" is the call to de_thread. Or aguably anything in
>> flush_old_exec. Once anything in the current task is modified you can't
>> return an error.
>>
>> It very much does not have anything to do with brpm. It has
>> everything to do with current.
>
> Yes, but the thing that actually enforces this is the test of bprm->mm
> and the SIGSEGV in search_binary_handlers().
So what. Calling that the point of no return is wrong.
The point of no return is when we kill change anyting in signal_struct
or task_struct. AKA killing the first thread in de_thread.
It is more than just the SIGSEGV in search_binary_handlers that enforces
this. de_thread only returns (with a failure code) after having killed
some threads if those threads are dead.
Similarly exec_mmap only returns with failure if we know that a core
dump is pending, and as such the process will be killed before returning
to userspace.
I am a little worried that we may fail to dump some threads if a core
dump races with exec, but that is a quality of implementation issue, and
the window is very small so I don't know that it matters.
The point of no return very much comes a while before clearing brpm->mm.
>>> diff --git a/fs/exec.c b/fs/exec.c
>>> index 904199086490..7842ae661e34 100644
>>> --- a/fs/exec.c
>>> +++ b/fs/exec.c
>>> @@ -1285,7 +1285,14 @@ int flush_old_exec(struct linux_binprm * bprm)
>>> if (retval)
>>> goto out;
>>>
>>> - bprm->mm = NULL; /* We're using it now */
>>> + /*
>>> + * After clearing bprm->mm (to mark that current is using the
>>> + * prepared mm now), we are at the point of no return. If
>>> + * anything from here on returns an error, the check in
>>> + * search_binary_handler() will kill current (since the mm has
>>> + * been replaced).
>>> + */
>>> + bprm->mm = NULL;
>>>
>>> set_fs(USER_DS);
>>> current->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
Eric
next prev parent reply other threads:[~2017-07-10 17:07 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-10 7:57 [PATCH v2 0/8] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 1/8] exec: Correct comments about "point of no return" Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 8:46 ` Eric W. Biederman
2017-07-10 8:46 ` Eric W. Biederman
2017-07-10 16:04 ` Kees Cook
2017-07-10 16:04 ` Kees Cook
2017-07-10 17:07 ` Eric W. Biederman [this message]
2017-07-10 17:07 ` Eric W. Biederman
2017-07-18 6:39 ` Kees Cook
2017-07-18 6:39 ` Kees Cook
2017-07-18 13:12 ` Eric W. Biederman
2017-07-18 13:12 ` Eric W. Biederman
2017-07-18 13:42 ` Kees Cook
2017-07-18 13:42 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 8:57 ` Eric W. Biederman
2017-07-10 8:57 ` Eric W. Biederman
2017-07-10 16:06 ` Kees Cook
2017-07-10 16:06 ` Kees Cook
2017-07-10 17:18 ` Eric W. Biederman
2017-07-10 17:18 ` Eric W. Biederman
2017-07-11 2:07 ` Kees Cook
2017-07-11 2:07 ` Kees Cook
2017-07-18 6:45 ` Kees Cook
2017-07-18 6:45 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 3/8] exec: Use secureexec for setting dumpability Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 4/8] exec: Use secureexec for clearing pdeath_signal Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 5/8] smack: Remove redundant pdeath_signal clearing Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 6/8] exec: Consolidate dumpability logic Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 7/8] exec: Consolidate pdeath_signal clearing Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 7:57 ` [PATCH v2 8/8] exec: Use sane stack rlimit under secureexec Kees Cook
2017-07-10 7:57 ` Kees Cook
2017-07-10 14:08 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pod8mdad.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=Jason@zx2c4.com \
--cc=ben@decadent.org.uk \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=gerg@linux-m68k.org \
--cc=hughd@google.com \
--cc=james.l.morris@oracle.com \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhocko@kernel.org \
--cc=mic@digikod.net \
--cc=mingo@kernel.org \
--cc=nicolas.pitre@linaro.org \
--cc=oleg@redhat.com \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=riel@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=vgoyal@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.